09:42 <xet7> What is secure way to have authentication for downloading files? It just token in header, or something more? It seems it's not so good to have token in URL. Or, should all be encrypted with javascript clientside, and only send encrypted data between browser and server?

09:44 <xet7> Someone complained that at local network when server is running with http, it's too easy to sniff network traffic and download file URLs that include token in URL from that other sniffing computer

09:44 <xet7> there is similar issue at rocketchat https://github.com/RocketChat/Rocket.Chat.ReactNative/pull/3210

09:45 <xet7> I have not looked what additional protections Sandstorm has

09:45 <xet7> I'm just thinking about files in WeKan

09:46 <xet7> Well, Protonmail way would be to encrypt all at browserside

09:47 <xet7> For DNS queries, those could use DNS over HTTPS so it's not visible at local network

09:47 <xet7> that browser feature of DNS over HTTPS

09:49 <xet7> Wekan REST API uses header auth, token is at header. That token is got from login to API.

09:49 <xet7> And at WeKan reads Sandstorm header to autologin user to WeKan

09:51 <xet7> For clientside encryption, Javascript could generate some token only at clientside, and use it to encrypt data

09:51 <xet7> Although, then it's a question about my plans to have login etc all work without Javascript, using only HTML/CSS

09:51 <xet7> so that WeKan would work with NetSurf, elinks etc

09:51 <xet7> there Javascript can not be used for encryption

09:53 <xet7> Well, at local network, it could be possible to store logged in user browser user agent, IP address, etc what is available, and use onetime tokens at each loaded MPA webpage, always check those tokens, IP address etc that those do not change.

09:54 <xet7> Although, if someone changes network from LAN to mobile phone wifi etc, then user will be logged out

09:54 <xet7> I'm just thinking about what amount of security is enough

09:56 <xet7> Probably it should just be security to max, all encrypted browserside and serverside, stored encrypted serverside, logging, unlimted undo/redo etc

10:06 <xet7> Is there some secure encrypted web framework that already has security to max ?

16:26 <enick_937> Regarding client-side encryption: If the other party is the server, you're just reinventing TLS.

17:01 <isd> Yeah, that's kinda my reaction: "Yes, eavesdropping is a problem if you don't use encryption?" The solution is to set up HTTPS.

21:37 <enick_937> And if it's for your home network, generate and set up a trusted root cert.

21:37 <enick_937> s/set up/install/